A Hekate receipt turns a preflight decision into portable evidence: what was checked, which policy applied, what evidence was hashed, who issued it, and which claim boundary applies.
Binds the receipt to the agent config, MCP manifest, endpoint, or workflow checked.
Policy hash
Binds the decision to the exact policy in force at scan time.
Evidence hash
Binds the receipt to findings, request metadata, verifier output, and audit evidence.
Scanner version
Makes changes in check logic visible to auditors and downstream verifiers.
Signature
Lets clients verify issuer identity without trusting a screenshot or mutable log line.
Sample JSON
Not production evidence.
{
"receipt_type": "hekate.security_preflight.v1",
"receipt_id": "sec_sample_2026_05_22",
"subject": {
"type": "mcp_manifest",
"id": "acme-sales-mcp",
"config_hash": "sha256:7f5a5c68d91f1c7b0b7f2d8f4f1a4b1d5b4e2e7e6b8a9c0d5f2e3a4b5c6d7e8f"
},
"policy_hash": "sha256:2b6b5c0a9e7f6d5c4b3a2918172635445566778899aabbccddeeff0011223344",
"scanner_version": "hekate-torch@0.1.0",
"decision": "block",
"risk_score": 87,
"critical_findings": 2,
"high_findings": 1,
"evidence_hash": "sha256:9a7d6f5e4c3b2a1908172635445566778899aabbccddeeff0011223344556677",
"issued_at": "2026-05-22T00:00:00.000Z",
"issuer": "hekate-gate",
"signature": {
"scheme": "ed25519.signer.v1",
"key_id": "hekate_receipts_testnet_001",
"value": "ed25519:sample_signature_not_for_production"
},
"claim_boundary": "sample receipt only; not a production certification and not a guarantee of agent safety"
}
Verification boundary
Production receipts must verify against Hekate trust material and retained evidence. This sample demonstrates field shape only; it is not a production receipt, not mainnet certification, and not an assurance that any external agent is safe. Configure the Ed25519 receipt signer before treating web receipts as portable issuer evidence.